UAB is revising its password/passphrase policy to ensure better security for campus assets.

Under the new policy that is being phased in beginning Sept. 15, passwords/passphrases will need to be 15 characters, but the passwords will expire after one year.

Implementation of the policy will be phased in; while users can change their passwords at any time at BlazerID Central, they will NOT be required to change their passwords to 15 characters until their current password expires. Enforcement of the new requirements and expiration will begin on the first password change event after the policy goes into effect on Sept. 15.

Fifteen-character passwords are much harder to crack than eight-character passwords, making them more secure than UAB’s current standard. Once a password/passphrase expires, a user will never be able to reuse it.

A strong passphrase:

Is a series of words that create a phrase.

Does not contain common phrases found in literature or music. You can choose a sentence or phrase that is familiar to you, but use the first letter of every word as a mnemonic device.

Does not contain words found in the dictionary. You can replace certain letters in words with numbers, such as 1 for an I or L.

Does not contain your user name, real name or company name.

UAB’s passphrases must contain three of the following four characters: an uppercase letter, a lowercase letter, a number and a special symbol.

When users log into BlazerID Central to change their passwords, they will automatically be prompted to enroll a phone number in the Identity feature, which allows users to more easily reset a BlazerID password/passphrase without having to contact AskIT.

UAB IT is also actively pursuing a contract for a password manager for faculty, staff and students.

Did you know there is a quick and easy way to reset it through BlazerID Central?

If you have a phone number registered for B-Alert/e-Notify, you can use the automated password reset. Just register a new or existing phone number for “Identity” in the e-Notify signup here. You’ll get a text or voice message with a code to reset your password.

And if your password has expired, you can still log in to BlazerID Central with your old password to reset to a new password.

UAB’s password/passphrase policy, effective Jan. 1, 2014, requires faculty and staff to change their passwords every 90 days, and students to change their passwords every 180 days.

UAB IT has changed its notification schedule for changing your BlazerID password. Users now receive notices 15 days before their passwords expire, as well as seven days, three days, two days and one day prior to expiration.

Remember: E-mailed password change notices from UAB IT will NOT include clickable links, due to ongoing phishing attempts. All updates to your BlazerID password should be managed through BlazerID Central.

A strong password, changed at regular intervals, is one of the best ways to safeguard your information – and everyone else’s.

That’s why UAB requires employees to change their BlazerID passwords every 90 days, and students every 180 days.

Changing passwords often – and making sure they are both strong and secure – will help keep hackers out of your data and out of UAB’s systems.

Beginning Aug. 1, UAB IT will send the first reminder that you need to change your BlazerID password 15 days before the expiration date, a change from the previous 30-day advance notice. Reminders are also e-mailed one week before expiration, as well as sent at three days, two days and one day prior to expiration.

Password expiration notices tell you the exact date your password will expire so you can keep track of when you need to change it.

Remember: E-mailed password change notices from UAB IT will NOT include clickable links, due to ongoing phishing attempts. All updates to your BlazerID password should be managed through BlazerID Central.

UAB Information Security recently discovered a new spam campaign where users are tricked into opening an email attachment that contains a virus aimed at stealing passwords and financial information. As with any suspicious email messages you may receive, please report them to askit@uab.edu for inspection.

The recent spam email messages are crafted to look like they came from one of several legitimate companies such as Chase Bank, the Better Business Bureau (BBB), Department of Treasury, Dun & Bradstreet Financial Services or a wire transfer company. You should be aware that these emails are forged and that none of the information included in the email can be trusted including embedded links, e-mail addresses or phone numbers.

Here are some of the common email subject lines we have seen in this spam campaign:

Because your BlazerID password is used to open the door to many services and features on the UAB network, it is vital that it be strong enough to resist guessing by casual means. Someone breaking into your UAB records can be the first step toward identity theft which is being well-publicized now. To be sure you have a strong password, make sure it follows these rules:

Must be at least eight (8), no more than sixteen (16) characters in length

Must be a mix of letters, numbers, and optionally punctuation characters [except equal sign (=) comma (,) or quotation marks (') or (") or spaces/blanks]

Should not include any part of your own name, or the names of any family members, pets, or friends

Should not include your BlazerID, or any personal identification number, phone number, or your birth date

Should not be a single word, in any common language

The BlazerID registration and password screens try to ensure these rules are followed to the best extent possible. Note that strong passwords do not have to be difficult to remember; combining a couple of familiar words and either replacing one letter with a number, or separating the words with a number or acceptable punctuation, is a common way of creating a password that is both easy to recall by you and hard to guess by others.

The first step in keeping your password secure is to create a good one. After you've created a strong password, continue with the suggestions below to keep it safe:

Never share your password with anyone.

This includes family, friends, significant others, computer support people, and bosses. If you need someone to read your email, you can have that person do so without using your password by using the delegates feature in MS Outlook.

Never save your password when prompted by your web browser or any other programs.